Mathesar on Ubuntu 24.04 on Azure User Guide
Overview
This image runs Mathesar 0.12.0, an open source web application that gives your team a friendly, spreadsheet like way to browse, enter and edit the data in a PostgreSQL database, with no SQL required. Users work directly in real tables, build explorations (saved queries) to slice and summarise data, and manage schemas, columns, relationships and constraints from the browser, while everything stays in standard PostgreSQL underneath. A JSON-RPC API exposes the same operations for automation.
cloudimg delivers Mathesar fully installed the native way and reverse proxied behind nginx, with the gunicorn application server and its PostgreSQL 16 internal database already configured and managed by systemd, so a working data workspace is operational within minutes of launch.
What is included:
- Mathesar 0.12.0 installed the official native (non Docker) way into
/opt/mathesar, running in a self contained Python virtual environment - PostgreSQL 16 as Mathesar's internal metadata database, with its data directory on a dedicated data disk
- gunicorn serving the Django application on
127.0.0.1:8000, fronted by nginx on port80 - Three systemd units enabled and active:
postgresql@16-main,mathesarandnginx - Secure by default: no administrator account and no shared secret ship in the image. On first boot a unique Django secret key, a unique database password and a unique administrator account are generated and written to a root only file
- A dedicated data disk holding the PostgreSQL data directory and uploaded files
- A fully patched Ubuntu 24.04 LTS base with unattended security upgrades enabled
- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is the recommended size for evaluation and small deployments; for larger datasets choose a size with more memory. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web interface. Mathesar serves plain HTTP on port 80; for production or shared access, terminate TLS in front of it with your own domain (see the final step).
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Mathesar by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name mathesar \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
# Open the HTTP port so you can reach the web interface
az vm open-port --resource-group <your-rg> --name mathesar --port 80 --priority 900
Step 3 - Retrieve the per VM admin credentials
Nothing secret is baked into the image. On the very first boot, a one shot service (mathesar-firstboot.service) generates a fresh Django secret key, a fresh database password and a unique administrator account, all unique to your instance. It writes them to /root/mathesar-credentials.txt, readable only by root. SSH in as azureuser and read them:
sudo cat /root/mathesar-credentials.txt
# Mathesar - generated on first boot by mathesar-firstboot.service.
# These credentials are unique to THIS VM. Store them somewhere safe.
mathesar.url=http://20.127.70.55/
mathesar.admin.user=admin
mathesar.admin.pass=Rk8vQ2mL9wU4nZ7pB3hD6yX1
# Canonical keys consumed by the cloudimg smoke verifier + guide substitution:
MATHESAR_ADMIN_USER=admin
MATHESAR_ADMIN_PASSWORD=Rk8vQ2mL9wU4nZ7pB3hD6yX1
The mathesar-firstboot.service one shot is ordered before the application services, so the web UI only ever starts once every per VM secret has been generated. The values above are an example; your instance will have its own unique credentials.

Step 4 - Confirm the services are running
Check that PostgreSQL, the Mathesar application and nginx are all active:
sudo systemctl is-active postgresql@16-main mathesar nginx
All three report active. gunicorn binds to loopback only (127.0.0.1:8000) and nginx publishes the interface on port 80:
sudo ss -tlnp | grep -E ':80 |:8000 '

Step 5 - Confirm the web endpoints
The sign in page is public and returns 200. Mathesar requires authentication for everything else, so an anonymous request to the application is redirected to the login page and the JSON-RPC API rejects unauthenticated calls. This is the secure default.
curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/auth/login/
curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/

Step 6 - Sign in to the web UI
Browse to http://<vm-ip>/ and sign in as admin with the password from /root/mathesar-credentials.txt. Mathesar opens on the login page.

After signing in you land on the Databases home. A freshly deployed instance starts empty; the screenshots in this guide show Mathesar with an example connected database so you can see the interface populated. From here you connect an existing PostgreSQL database or create a new one to start working with your data.

Step 7 - Work with your data: schemas and tables
Open a database to see its schemas, each holding a set of tables. Mathesar shows the tables, explorations and forms defined in the schema, and lets you create new ones from the browser.

Open a table to work with its data in the spreadsheet like grid. You can browse, filter, sort, group and edit records directly, follow relationships to related tables, and inspect and change the table's columns and constraints from the Inspector panel, all without writing SQL.

Step 8 - Use the JSON-RPC API
Mathesar exposes a JSON-RPC API at /api/rpc/v0/ that drives the same operations as the web UI, so you can automate schema and data management. Calls are authenticated with a Django session. The example below signs in, then lists the connected databases:
$ # sign in and keep the session cookie
$ curl -s -c jar.txt http://<vm-ip>/auth/login/ -o /dev/null
$ CSRF=$(awk '/csrftoken/{t=$7} END{print t}' jar.txt)
$ PASS=$(sudo grep '^MATHESAR_ADMIN_PASSWORD=' /root/mathesar-credentials.txt | cut -d= -f2-)
$ curl -s -c jar.txt -b jar.txt -e http://<vm-ip>/auth/login/ \
--data-urlencode csrfmiddlewaretoken=$CSRF \
--data-urlencode username=admin \
--data-urlencode password=$PASS \
http://<vm-ip>/auth/login/ -o /dev/null
$ # call a JSON-RPC method with the authenticated session
$ curl -s -b jar.txt -H 'Content-Type: application/json' -H "X-CSRFToken: $CSRF" \
-e http://<vm-ip>/ \
--data '{"jsonrpc":"2.0","method":"databases.configured.list","params":{},"id":1}' \
http://<vm-ip>/api/rpc/v0/
connected databases: 1
- mathesar_demo
The per VM administrator login proves end to end that your credentials work, and an unauthenticated JSON-RPC call is rejected. This is the same round trip the cloudimg image self checks on first boot:

Step 9 - Enable HTTPS with your own domain
Mathesar ships on plain HTTP on port 80 so it works immediately. For production, point a DNS record at the VM's public IP, add the hostname to ALLOWED_HOSTS in /opt/mathesar/.env, and terminate TLS with a certificate. A common approach is to place Caddy or nginx in front with a certificate from Let's Encrypt, or to put Azure Application Gateway in front of the VM. After editing /opt/mathesar/.env, restart the application:
$ sudo systemctl restart mathesar
Administration and support
The Mathesar application lives in /opt/mathesar, its environment (database connection, secret key and allowed hosts) in /opt/mathesar/.env, and its PostgreSQL data directory and uploaded files on the dedicated data disk at /var/lib/mathesar-data. Manage the service with sudo systemctl restart mathesar. To add another administrator, use the Mathesar admin pages under Settings in the web UI, or the Django management command shipped in the virtual environment.
This image is a repackaged open source software product with additional charges for cloudimg support services. Our engineers provide 24/7 support for deployment, upgrades, TLS termination, connecting your existing PostgreSQL databases, API automation and scaling. Mathesar is a trademark of its respective owner; use of the name here is purely to identify the software this image packages, and this image is not affiliated with or endorsed by the Mathesar project.